Grid computing is a method of harnessing the power of many computational resources in a network. Grid computing is a distributed computer infrastructure involving large-scale sharing applications and/or high performance processing and network bandwidth.
Referring to FIG. 1, a grid computing environment comprising a plurality of heterogeneous computing nodes distributed across multiple administrative domains. A virtual organization (e.g., VO-X, VO-Y, and VO-Z) may include nodes from different domains. For example, VO-Z includes nodes from each of Administrative Domains 110, 120, and 130.
A node (hereinafter also referred to as a computing resource) may be a member of several virtual organizations. An end-user (e.g., USER M, USER N, or USER 0) may need to access remote nodes either in the same administrative domain, or across domains. For example, User O may access VO-Y from within Domain 120, or User N within Domain 130 may access the same node from outside of Domain 120. Similarly, User M of Domain 130 may access both VO-Y and VO-Z through a single node in Domain 110.
Traditionally, grid computing has provided for the execution of batch jobs in the scientific and academic community. Batch execution on a grid computing environment requires authentication, authorization, resource access, resource discovery, and other services. In support of batch processing of jobs on a grid computing environment, protocols, services, application programming interfaces, and software development kits have been developed. The conventional method and system are not particularly suited for interactive grid computing sessions.
A grid user must typically be granted authorization by an administrator of the domain to which the desired resource belongs. This usually entails generating a policy file for each user. However, requiring a user to have local accounts for the resources that can possibly be allocated to him has several drawbacks. A system using static accounts is difficult to scale, since there may be millions of potential users of a system by virtue of their membership in the grid. As members get added or removed from a grid, local system administrators at participating sites cannot be expected to add or delete user accounts. The maintenance of millions of accounts, for example, at the participating sites using methods provided by operating systems would be a very heavy burden for system administrators.
In systems having large numbers of occasional users, dynamic accounts may be used to avoid having to deal with the problems of maintaining a large number of static accounts. A dynamic account is not permanently associated with a real-world user. It is assigned to a user for the duration of one or more interactive sessions or batch jobs on the allocated computer. When the association ends, the dynamic account is returned to the free pool and is available for assignment to another user.
Although dynamic accounts avoid the difficulty of having to maintain static accounts for all potential users, there is still considerable overhead involved in managing the set of dynamic accounts. For each account, an administrator is typically required to add an entry to a gridmap file, creating a mapping between the user's grid credentials and the pool of dynamic accounts to be used. This entry uses the part of the grid credentials that is known as the user's distinguished name (DN). The DN is based upon a hierarchical naming standard that makes it possible to uniquely identify the user.
Normally, the DN of a user is extracted from his credentials and a file is created in the file system with the DN. This file is actually a symbolic link that points to another file that is named with the dynamic account allocated to the user. If a second user initiates a session using a DN linked to a current dynamic account, the second user will be assigned to the same dynamic account. Under conventional dynamic account management, if two users sharing a common grid credential are allocated the same resource, both of their sessions will run on the same dynamic account. This creates an unstable situation in which the two users may overwrite each others files and terminate each others processes. What is needed is a dynamic account management method that reduces the burden on local domain administrators and allows users to share a DN without potential interference.